I have a number of IKEv2 Site-to-Site tunnels on my ASA. Some of them are only brought up when we want them to be and we have a script that deletes a route and clears the IPSEC SA when they are not in use.
The problem I have is that when we do this, the logs flood with hundreds of entries per minute with up/down alarms (750002, 750006, 750007, 751022 and 113019) for those tunnels.
Is there a way of suppressing those alarms while we are preventing access? Perhaps there is a better way to remove certain config that would stop the alarms, rather than us deleting the route and clearing the SA?
Any tips/advice welcome!
You could remove those alerts, but then you'd not recieve them for other tunnels. It might be bette to remove the crypto map configuration, such as remove the peer or ACL reference.
no crypto map CM 10 match address R1_VPN
no crypto map CM 10 set peer 184.108.40.206
Thanks for the tips but that hasn't helped either. I even went as far as removing the tunnel config but still ended up getting constant 750002 and 751002 messages
Anyone else got any thoughts?
Ah ok, it looks like 750002 relates to an inbound SA initiation request, so your peer is attempting to establish the tunnel.
You could apply a control-plane ACL on the outside interface, denying udp/500, esp from the peers you do not wish to establish a tunnel and permitting all else.